The bill lets education technology companies continue to collect huge amounts of intimate information on students, compile it into profiles of their aptitudes and attitudes — and then mine that data for commercial gain. It permits the companies to sell personal information about students to colleges and employers, and potentially to military recruiters as well.

And it empowers schools to authorize even wider disclosure of student data, without notifying parents or seeking their consent, according to a near-final draft reviewed by POLITICO.

At least one education technology company, Microsoft, already has endorsed the bill. And the chief sponsors, Reps. Luke Messer (R-Ind.) and Jared Polis (D-Colo.), said they’re confident it will quickly earn bipartisan support in both chambers; Polis said he believed it would sail through the House under a suspension vote, with limited debate and no amendments.

Privacy advocates and parent activists, however, are crushed.

“This bill doesn’t fulfill President Obama’s stated commitment to ensure that data collected in the educational context is used only for educational purposes,” said Khaliah Barnes, director of the Electronic Privacy Information Center’s student privacy project.

Barnes said “huge loopholes” and “escape clauses” sprinkled throughout the 18-page draft undermine the positive elements of the bill.

Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, went further: “This bill reads as though it was written to suit the interests of for-profit vendors and not the interests of children,” she said.

The bill comes at a time of increasing anxiety among parents, teachers and school administrators about the proliferation of classroom technology — and the lack of transparency as to how student data is being used.

The market for educational technology for preschool through high school is huge; last year, it hit nearly $8 billion. And every time a student clicks through an online textbook, watches tutorials, plays games or takes quizzes online, he sheds an enormous amount of data, not just about what he knows but also about how he learns, thinks and perseveres in the face of challenge. Top ed-tech companies boast of collecting millions of unique data points on each child each day. That’s orders of magnitude more than Facebook or Google gather on their customers.

And most of that data isn’t protected by existing federal privacy law because it’s not part of a student’s official “educational record,” which generally consists of final grades, standardized test scores and other basic records that would at one time have been stored in a file cabinet in the principal’s office.

Both the Senate and the House are contemplating updating that privacy law, which dates to 1974.

Those updates, however, would not address the rights and responsibilities of the ed-tech companies that handle student data. That’s what the new bill, dubbed the Student Digital Privacy and Parental Rights Act of 2015, is designed to tackle. Obama turned the task of writing it over to Messer and Polis, who said they worked closely with the White House on the language. The White House declined to comment until the bill is officially released.

Messer said he realized that some privacy advocates wanted tougher regulation, including an explicit right for parents to opt out of having their children’s data mined by commercial vendors.

But he urged that they view the bill as a step forward “compared to current law, where there’s very little protection for parents.”

And he noted that states have the freedom to enact more restrictive laws if they see fit. In just the past few years, nearly 150 bills touching on student privacy have been introduced in 40 state legislatures, with some states moving to protect not just academic data but also information on students’ medical needs, disciplinary infractions, lunch purchases and web search activity. The federal bill does not explicitly protect those categories of data.

“Our belief is that this is a reasonable floor of protection,” Messer said. “Time and the future development of technology will determine how much further states will want to go. If we haven’t gone far enough, we believe states will send us the message that more needs to be done.”

The ed-tech industry has lobbied against any kind of federal regulation, on the grounds that too many restrictions would slow innovation.

Instead, the industry has been pushing a voluntary Student Privacy Pledge, which has been signed by 125 ed tech companies of all sizes, from start-ups to giants such as Apple and Google. (The pledge was brokered by Messer and Polis, who incorporated some of the same language in their bill.)

The Software and Information Industry Association, which represents ed-tech firms, declined to comment on the specifics of the new bill. But Mark Schneiderman, the SIIA’s senior director of education policy, expressed frustration that it wouldn’t preempt state legislation. If Congress is determined to pass a federal privacy bill, its priority should be to “harmonize and simplify” the patchwork of state laws, not create “further complications” for the industry, Schneiderman said.

“We worry that this bill only adds additional complexity and legal hurdles to innovations for educational services,” said Carl Szabo, policy counsel for NetChoice, a trade association for e-commerce businesses.

The bill assigns enforcement to the FTC, which can go after companies for unfair or deceptive practices if they violate the privacy rules.

James Steyer, a privacy activist and the CEO of Common Sense Media, said he was pleased to see that enforcement mechanism.

“We’re glad they recognized that the industry’s voluntary pledge is not enough,” Steyer said. “Will this draft be perfect? No. But it’s really moving in the right direction.”

Fred Humphries, a vice president at Microsoft, praised the bill as well, writing in a blog post that it “strikes the right balance between protecting student privacy [and] fostering innovation in schools.”

Even critics of the bill acknowledged some strong elements, such as a ban on using personal information to target advertising at students and a requirement that ed-tech companies delete data within 45 days at a school’s request.

But overall, they called the bill too riddled with loopholes to be effective.

Take the provision barring companies from selling personal information about students. At first glance, that seems like a rock-solid ban. Yet the next page of the draft bill introduces an exception: The company is permitted to sell data if a student or parent requests that it be shared with others “in furtherance of post-secondary education or employment opportunities.”

An online textbook, tutorial service or gaming app could likely fulfill this requirement by asking kids to check a box if they want to hear from colleges or employers interested in students just like them.

The College Board and ACT present students with a similar box on standardized tests such as the SAT; as many as 85 percent check it, allowing the test developers to sell detailed profiles on millions of students, including their test scores, grades, activities, family income and religious preference, to colleges and scholarship organizations.

Ed-tech companies, which can collect tens of millions of data points on students, could develop even richer profiles than the College Board, full of sensitive details about a child’s cognitive abilities, personality and learning styles — and could potentially make a lucrative business out of selling them to the private sector.

Or consider the provision that requires companies to use and disclose students’ personal information only for “K-12 purposes.”

The draft bill defines “K-12 purposes” as any endeavor that benefits the school; helps with instruction; nurtures collaboration between students, school personnel or parents; or prepares kids for post-secondary education and employment. Companies can use student data to develop products for any of those goals. They can also disclose student data to anyone else who has those goals in mind.

That’s a pretty broad category — but it gets broader still: The bill states that “K-12 purposes” also includes “other purposes specified by a school or school official.”

Many ed-tech companies are actually considered “school officials” under another federal law. The Polis-Messer bill would let these companies define “K-12 purposes” for themselves — which would essentially give them the right to decide on their own how they would use and share student data.

The bill has a good intent, in that it aims to limit the use of student data to school-related purposes, but “the actual language that they’re proposing opens up some significant loopholes,” said Joel Reidenberg, a privacy scholar at Fordham Law School.

“This statute is making a first stab at drawing some value lines as to what is a commercial use and what is an educational use,” Reidenberg said, “but I don’t think it draws that line in a place that comports with parent expectations.”

Polis said he believed the bill “responds to the real concerns that parents and students have about the privacy of information.” But he, too, urged states to take their own look at the subject. “We encourage innovation in the states,” Polis said, “so we can find the right balance between harnessing the promise of education technology and protecting student privacy.”